Bug #64722 [Fbk]: PDO extension causes zend_mm_heap corrupted
Edit report at https://bugs.php.net/bug.php?id=64722&edit=1 ID: 64722 Updated by: larue...@php.net Reported by:tj dot botha at plista dot com Summary:PDO extension causes zend_mm_heap corrupted Status: Feedback Type: Bug Package:PDO related Operating System: Ubuntu Server 12.10 PHP Version:master-Git-2013-04-26 (Git) Block user comment: N Private report: N New Comment: if you can reproduce it in a 100% chance, please run it with valgrind, let's see what valgrind says about this.. thanks Previous Comments: [2013-04-30 16:16:29] tj dot botha at plista dot com Ok - I just recompiled apache with prefork (It was supposed to be the default, instead it defaulted to event) - and recompiled PHP, and it is no longer multithreaded - and the problem persists: Apache information now: Server version: Apache/2.4.4 (Unix) Server built: Apr 30 2013 17:41:49 Server's Module Magic Number: 20120211:11 Server loaded: APR 1.4.6, APR-UTIL 1.5.2 Compiled using: APR 1.4.6, APR-UTIL 1.5.2 Architecture: 64-bit Server MPM: prefork threaded: no forked: yes (variable process count) Server compiled with -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/usr/local/apache2" -D SUEXEC_BIN="/usr/local/apache2/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" PHP Information : System Linux dev 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:31:23 UTC 2012 x86_64 Build Date Apr 30 2013 17:54:17 Configure Command'./configure' '--with- apxs2=/usr/local/apache2/bin/apxs' '--enable-mbstring' '--with-config-file- path=/etc/php5/' '--with-gettext=/usr/bin/gettext' '--with-config-file-scan- dir=/etc/php5/mods-enabled/' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '-- with-pdo-mysql=mysqlnd' '--with-openssl' '--with-libdir=/lib/x86_64-linux-gnu/' '--enable-debug' Server API Apache 2.0 Handler Virtual Directory Support disabled Configuration File (php.ini) Path /etc/php5/ Loaded Configuration File /etc/php5/php.ini Scan this dir for additional .ini files /etc/php5/mods-enabled/ Additional .ini files parsed/etc/php5/mods-enabled/xdebug.ini PHP API 20100412 PHP Extension 20100525 Zend Extension 220100525 Zend Extension BuildAPI220100525,NTS,debug PHP Extension Build API20100525,NTS,debug Debug Build yes Thread Safety disabled Zend Signal Handlingdisabled Zend Memory Manager enabled Zend Multibyte Support provided by mbstring IPv6 Supportenabled DTrace Support disabled Registered PHP Streams https, ftps, php, file, glob, data, http, ftp, phar Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls Registered Stream Filters convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk Apache PHP Information Apache Version Apache/2.4.4 (Unix) OpenSSL/1.0.1c PHP/5.4.14 Apache API Version 20120211 Server Administratory...@example.com Hostname:Port dev:0 User/Group www-data(33)/33 Max RequestsPer Child: 0 - Keep Alive: on - Max Per Connection: 100 TimeoutsConnection: 60 - Keep-Alive: 5 Virtual Server No Server Root /usr/local/apache2 Loaded Modules core mod_so http_core prefork mod_authn_file mod_authn_dbm mod_authn_anon mod_authn_dbd mod_authn_socache mod_authn_core mod_authz_host mod_authz_groupfile mod_authz_user mod_authz_dbm mod_authz_owner mod_authz_dbd mod_authz_core mod_access_compat mod_auth_basic mod_auth_form mod_auth_digest mod_allowmethods mod_file_cache mod_cache mod_cache_disk mod_socache_shmcb mod_socache_dbm mod_socache_memcache mod_dbd mod_dumpio mod_buffer mod_ratelimit mod_reqtimeout mod_ext_filter mod_request mod_include mod_filter mod_substitute mod_sed mod_deflate mod_mime mod_log_config mod_log_debug mod_logio mod_env mod_expires mod_headers mod_unique_id mod_setenvif mod_version mod_remoteip mod_proxy mod_proxy_connect mod_proxy_ftp mod_proxy_http mod_proxy_fcgi mod_proxy_scgi mod_proxy_ajp mod_proxy_balancer mod_proxy_express mod_session mod_session_cookie mod_session_dbd mod_slotmem_shm mod_ssl mod_lbmethod_byrequests mod_lbmethod_bytraffic mod_lbmethod_bybusyness mod_lbmethod_heartbeat mod_unixd mod_dav mod_status mod_autoindex mod_info mod_cgid mod_dav_fs mod_vhost_alias mod_negotiation mod_dir mod_actions mod_speling mod_userdir mod_alias mod_rewrite mod_php5 This is running on a Ubuntu 12.10 virtual server. Unfortunately I have to go now but I
Bug #64722 [Fbk]: PDO extension causes zend_mm_heap corrupted
Edit report at https://bugs.php.net/bug.php?id=64722&edit=1
ID: 64722
Updated by: johan...@php.net
Reported by:tj dot botha at plista dot com
Summary:PDO extension causes zend_mm_heap corrupted
Status: Feedback
Type: Bug
Package:PDO related
Operating System: Ubuntu Server 12.10
PHP Version:master-Git-2013-04-26 (Git)
Block user comment: N
Private report: N
New Comment:
so, the new backtrace has tsrm symbols, so what environment are you
using?8which web server,sapi, ...) Why threaded context?
And please try using helgrind (valgrind --tool=helgrind) with the server, this
should show details on race conditions.
Previous Comments:
[2013-04-30 15:07:35] tj dot botha at plista dot com
Also - some additional info which may help:
(gdb) frame 3
#3 0x7fffeb3e0056 in pdo_dbh_free_storage (dbh=0x7fffd00f56c0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/ext/pdo/pdo_dbh.c:1577
1577zend_object_std_dtor(&dbh->std TSRMLS_CC);
(gdb) print dbh->std
$1 = {ce = 0x7fffd6d3afc0, properties = 0x0, properties_table = 0x7fffd6d39378,
guards = 0x0}
(gdb)
and
for source_code/Zend/zend_objects.c:37 to 59:
ZEND_API void zend_object_std_dtor(zend_object *object TSRMLS_DC)
{
if (object->guards) {
zend_hash_destroy(object->guards);
FREE_HASHTABLE(object->guards);
}
if (object->properties) {
zend_hash_destroy(object->properties);
FREE_HASHTABLE(object->properties);
if (object->properties_table) {
efree(object->properties_table);
}
} else if (object->properties_table) {
int i;
for (i = 0; i < object->ce->default_properties_count; i++) {
if (object->properties_table[i]) {
zval_ptr_dtor(&object->properties_table[i]);
}
}
efree(object->properties_table);
}
}
(gdb) print object->properties_table[0]
$2 = (zval *) 0x5a5a5a5a5a5a5a5a
(gdb) print &object->properties_table[0]
$3 = (zval **) 0x7fffd6d39378
(gdb) print object->ce->default_properties_count
$4 = 2
(gdb) print i
$5 = 0
(gdb)
Not sure if this loop is thread safe:
for (i = 0; i < object->ce->default_properties_count; i++) {
if (object->properties_table[i]) {
zval_ptr_dtor(&object->properties_table[i]);
}
}
Thanks for your help!
[2013-04-30 15:01:07] tj dot botha at plista dot com
That is an old backtrace - here is the newest:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd8fe9700 (LWP 31920)]
0x7fffeb6a5722 in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/tj/php-
5.4.14/Zend/zend.h:395
395 return --pz->refcount__gc;
(gdb) backtrace
#0 0x7fffeb6a5722 in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/tj/php-
5.4.14/Zend/zend.h:395
#1 0x7fffeb6a7d06 in _zval_ptr_dtor (zval_ptr=0x7fffd6d39378,
__zend_filename=0x7fffebb88468 "/home/tj/php-5.4.14/Zend/zend_objects.c",
__zend_lineno=54)
at /home/tj/php-5.4.14/Zend/zend_execute_API.c:432
#2 0x7fffeb6f258a in zend_object_std_dtor (object=0x7fffd00f56c0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/Zend/zend_objects.c:54
#3 0x7fffeb3e0056 in pdo_dbh_free_storage (dbh=0x7fffd00f56c0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/ext/pdo/pdo_dbh.c:1577
#4 0x7fffeb6fac18 in zend_objects_store_del_ref_by_handle_ex (handle=122,
handlers=0x7fffebeb8a20 , tsrm_ls=0x7fffd0017170)
at /home/tj/php-5.4.14/Zend/zend_objects_API.c:221
#5 0x7fffeb6fa759 in zend_objects_store_del_ref (zobject=0x7fffd6d240e0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/Zend/zend_objects_API.c:173
#6 0x7fffeb6baacd in _zval_dtor_func (zvalue=0x7fffd6d240e0,
__zend_filename=0x7fffebb83be8 "/home/tj/php-5.4.14/Zend/zend_execute_API.c",
__zend_lineno=438)
at /home/tj/php-5.4.14/Zend/zend_variables.c:54
#7 0x7fffeb6a58c1 in _zval_dtor (zvalue=0x7fffd6d240e0,
__zend_filename=0x7fffebb83be8 "/home/tj/php-5.4.14/Zend/zend_execute_API.c",
__zend_lineno=438)
at /home/tj/php-5.4.14/Zend/zend_variables.h:35
#8 0x7fffeb6a7da9 in _zval_ptr_dtor (zval_ptr=0x7fffd6bee268,
__zend_filename=0x7fffebb84cb0 "/home/tj/php-5.4.14/Zend/zend_variables.c",
__zend_lineno=182)
at /home/tj/php-5.4.14/Zend/zend_execute_API.c:438
#9 0x7fffeb6baef5 in _zval_ptr_dtor_wrapper (zval_ptr=0x7fffd6bee268) at
/home/tj/php-5.4.14/Zend/zend_variables.c:182
#10 0x7fffeb6d3281 in zend_hash_destroy (ht=0x7fffd6d39768) at /home/tj/php-
5.4.14/Zend/zend_hash.c:560
#11 0x7fffeb6baa
Bug #64722 [Fbk]: PDO extension causes zend_mm_heap corrupted
Edit report at https://bugs.php.net/bug.php?id=64722&edit=1
ID: 64722
Updated by: johan...@php.net
Reported by:tj dot botha at plista dot com
Summary:PDO extension causes zend_mm_heap corrupted
Status: Feedback
Type: Bug
Package:PDO related
Operating System: Ubuntu Server 12.10
PHP Version:master-Git-2013-04-26 (Git)
Block user comment: N
Private report: N
New Comment:
I can't reproduce this on my machine.
Apparently your PHP is not compiled in threaded mode (no tsrm_ls parameters in
the stacktrace) so I assume you're not in threaded mode, so no race conditions.
Can you share more details on your setup and code?
Previous Comments:
[2013-04-30 14:44:16] tj dot botha at plista dot com
I just want to emphasize - that commenting out the code not a solution - since
it
causes errors later down the line. Also, when stepping / breaking at problem
area through the code - the project starts loading in bits and pieces, no
segfaults occur. Only when left to run without breakpoints does it crash -
therefor this really does seem like a concurrency problem.
[2013-04-30 12:45:41] tj dot botha at plista dot com
This appears to be a race condition - so I am unable to reproduce. I am
however
able to make the problem go away by modifying pdo_dbh.c to the following:
static void pdo_dbh_free_storage(pdo_dbh_t *dbh TSRMLS_DC)
{
if (dbh->in_txn && dbh->methods && dbh->methods->rollback) {
dbh->methods->rollback(dbh TSRMLS_CC);
dbh->in_txn = 0;
}
if (dbh->is_persistent && dbh->methods && dbh->methods-
>persistent_shutdown) {
dbh->methods->persistent_shutdown(dbh TSRMLS_CC);
}
//uncomment below to cause zend_mm_heap corrupted
//zend_object_std_dtor(&dbh->std TSRMLS_CC);
//dbh->std.properties = NULL;
dbh_free(dbh TSRMLS_CC);
}
If I recompile this into PHP it works - however now there is most likely a
memory leak. I checked and this code is also new from PHP 5.3. So definitely
it is causing the fault.
Don't know what the real solution is though.
TJ
[2013-04-26 17:53:01] s...@php.net
Do you have a reproducible testcase?
[2013-04-26 14:48:58] tj dot botha at plista dot com
Description:
I have a project which uses MySQL PDO. I Compiled PHP versions 5.4.6, PHP
5.4.14 and PHP 5.6 (from current GIT repositoty - 26 April 2013).
I have various configuration options, but everytime I my configure command
includes --with-pdo-mysql=mysqlnd, I am unable to run my project.
The ONLY log file which shows any kind of information is Apache error.log:
zend_mm_heap corrupted
When I remove --with-pdo-mysql from configure, then my project works okay
(however all my PDO functions are of course missing) and I just get normal
expected PHP errors.
However. When I compile PHP version 5.3.24, it works. I can successfully
include --with-pdo-mysql=mysqlnd, and my project loads without problems.
Test script:
---
I do not have a test script - as I have no indication as to where the app fails
Actual result:
--
#0 0x008ee2c2 in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/tj/php-
latest/Zend/zend.h:409
#1 0x008ee51f in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a,
__zend_filename=0xe38408 "/home/tj/php-latest/Zend/zend_objects.c",
__zend_lineno=54)
at /home/tj/php-latest/Zend/zend_execute.h:76
#2 0x008ef896 in _zval_ptr_dtor (zval_ptr=0x7f88d6068a20,
__zend_filename=0xe38408 "/home/tj/php-latest/Zend/zend_objects.c",
__zend_lineno=54)
at /home/tj/php-latest/Zend/zend_execute_API.c:428
#3 0x009354de in zend_object_std_dtor (object=0x271b880) at
/home/tj/php-latest/Zend/zend_objects.c:54
#4 0x0068aad0 in pdo_dbh_free_storage (dbh=0x271b880) at /home/tj/php-
latest/ext/pdo/pdo_dbh.c:1576
#5 0x0093c9ad in zend_objects_store_del_ref_by_handle_ex (handle=140,
handlers=0x116c2e0 )
at /home/tj/php-latest/Zend/zend_objects_API.c:221
#6 0x0093c6b3 in zend_objects_store_del_ref (zobject=0x7f88d60a4af8)
at
/home/tj/php-latest/Zend/zend_objects_API.c:173
#7 0x00901b6c in _zval_dtor_func (zvalue=0x7f88d60a4af8,
__zend_filename=0xe335f8 "/home/tj/php-latest/Zend/zend_execute.h",
__zend_lineno=81)
at /home/tj/php-latest/Zend/zend_variables.c:54
#8 0x008ee4c1 in _zval_dtor (zvalue=0x7f88d60a4af8,
__zend_filename=0xe335f8 "/home/tj/php-latest/Zend/zend_execute.h",
__zend_lineno=81)
at /home/tj/php-latest/Zend/zend_variables.h:35
#9 0x008ee58c in i_zval_ptr_dtor (zval
